#!/bin/bash

mac=$2;				
ip=$3; 				
ipMascaramento=$4; 		
portaAuth=$5; 			
portaSquid=$6; 			
ethOut=$7; 			
ethIn=$8;			

ipReal=$9;			
proxyTransparente=${10};	

#teste
#mac="00:1C:BF:A8:A0:51";ip="172.32.16.2";ipMascaramento="200.253.21.2";portaAuth="8080";portaSquid="3128";ethOut="eth0";ethIn="eth1";ipReal="false";proxyTransparente="true";

null=$(cat /dev/null);

tratarSaida(){
	echo $2
}
consultarTrafego(){
	if [ "$ipReal" == false ]; then
		trafego=$(iptables -nvx -L FORWARD | grep -i accept | grep -w -m 1 $mac );
		if [ "$trafego" == "$null" ]; then 
			echo "-1"; 
		else
			tratarSaida `echo $trafego`;
		fi
	else
		trafego=$(iptables -nv -L FORWARD | grep -i accept | grep -w -m 2 $ip );
		if [ "$trafego" == "$null" ]; then
			echo "-1";
		else
			cat <(iptables -nv -L FORWARD | grep -w -m 2 $ip ) | 
			while read LINHA
			  do 
				tratarSaida `echo $LINHA`; 
			done
		fi
	fi
}
tirarSquid(){
	resto=$1;
	qnt=$(iptables -n -t nat -L PREROUTING |grep -w $ip | grep -w $portaSquid |wc -l);
	for (( i=$(($resto+1)); i<=$qnt; i++)); do
		LINHA=$(iptables -n -t nat -L PREROUTING | grep -wn $ip | grep -w -m 1 $portaSquid);
		NUM_LINHA=$((${LINHA%%:*}-2));
		tirarSquid="/sbin/iptables -t nat -D PREROUTING $NUM_LINHA";
		$tirarSquid;
	done
}
tirarAuth(){
	resto=$1;
	qnt=$(iptables -n -t nat -L PREROUTING |grep -w $ip | grep $portaAuth |wc -l);
	for (( i=$(($resto+1)); i<=$qnt; i++)); do
		LINHA=$(iptables -n -t nat -L PREROUTING |grep -wn -m1 $ip |grep $portaAuth );
		NUM_LINHA=$((${LINHA%%:*}-2));
		tirarAuth="/sbin/iptables -t nat -D PREROUTING $NUM_LINHA";
		$tirarAuth;
	done
}
tirarSnat(){
	resto=$1; 
	qnt=$(iptables -n -t nat -L POSTROUTING | grep -w $ip |grep SNAT| wc -l);
	for (( i=$(($resto+1)); i<=$qnt; i++)); do
		LINHA=$(iptables -n -t nat -L POSTROUTING | grep -wn -m 1 $ip | grep SNAT);
		NUM_LINHA=$((${LINHA%%:*}-2)); 
		tirarSNAT="/sbin/iptables -t nat -D POSTROUTING $NUM_LINHA";
		$tirarSNAT;
	done
	
}
colocarAuth(){
	qnt=$(iptables -n -t nat -L PREROUTING |grep -w $ip | grep $portaAuth |wc -l);
	if [ $qnt -eq 0 ]; then
		colocaAuth="/sbin/iptables -t nat -I PREROUTING -i $ethIn -s $ip/32 -p tcp --dport 80 -j REDIRECT --to-port $portaAuth";
		$colocaAuth;
	elif [ $qnt -gt 1 ]; then
		tirarAuth 1;
	fi
}
colocarSquid(){
	qnt=$(iptables -n -t nat -L PREROUTING |grep -w $ip | grep $portaSquid |wc -l);
	if [ $qnt -eq 0 ]; then
		colocarSquid="/sbin/iptables -t nat -I PREROUTING -i $ethIn -s $ip/32 -p tcp --dport 80 -j REDIRECT --to-port $portaSquid";
		$colocarSquid;
	elif [ $qnt -gt 1 ]; then
		tirarSquid 1;
	fi
}
colocarSnat(){
	qnt=$(iptables -n -t nat -L POSTROUTING |grep -w $ip | grep -i snat |wc -l);
	if [ $qnt -eq 0 ]; then
		colocarSnat="/sbin/iptables -t nat -A POSTROUTING -s $ip/32 -o $ethOut -j SNAT --to-source $ipMascaramento";
		$colocarSnat;
	elif [ $qnt -gt 1 ]; then
		tirarSnat 1;
	fi
}
bloquear(){
	# Tirando a regra de SNAT
	tirarSnat 0;
	
	# Retirando qualquer regra que exista na chain PREROUTING e redirecione para a porta do SQUID;
	tirarSquid 0;

	# Colocando a regra que redireciona para a autenticação WEB, se ela já não existir
	colocarAuth;
	consultarTrafego;
}

liberar(){
	# Tirando regra que redireciona para a autenticação WEB
	tirarAuth 0;
	
	# Colocando, se não houver, o redirecionamento para o SQUID
	if $proxyTransparente ; then
		colocarSquid;
	else
		tirarSquid 0;
	fi 
		
	# Colocando a regra de SNAT
	if [ "$ipReal" == false ];then
		colocarSnat;
	# Caso o ip seja REAL e exista ,por engano, uma regra de mascaramento, esse elif tira esse mascaramento
	elif [ "$ipReal" == true ] ;then
		tirarSnat 0;
	fi 
	consultarTrafego;
}



case "$1" in
	-b) bloquear;;
	-l) liberar;;
	-c) consultarTrafego;;
esac
